FORGET THE DICTIONARY If your password can be found in a dictionary, you might as well not have one. “The worst passwords are dictionary words or a small number of insertions or changes to words that are in the dictionary,” said Mr. Kocher. Hackers will often test passwords from a dictionary or aggregated from breaches. If your password is not in that set, hackers will typically move on.

NEVER USE THE SAME PASSWORD TWICE People tend to use the same password across multiple sites, a fact hackers regularly exploit. While cracking into someone’s professional profile on LinkedIn might not have dire consequences, hackers will use that password to crack into, say, someone’s e-mail, bank, or brokerage account where more valuable financial and personal data is stored.

COME UP WITH A PASSPHRASE The longer your password, the longer it will take to crack. A password should ideally be 14 characters or more in length if you want to make it uncrackable by an attacker in less than 24 hours. Because longer passwords tend to be harder to remember, consider a passphrase, such as a favorite movie quote, song lyric, or poem, and string together only the first one or two letters of each word in the sentence.

OR JUST JAM ON YOUR KEYBOARD For sensitive accounts, Mr. Grossman says that instead of a passphrase, he will randomly jam on his keyboard, intermittently hitting the Shift and Alt keys, and copy the result into a text file which he stores on an encrypted, password-protected USB drive. “That way, if someone puts a gun to my head and demands to know my password, I can honestly say I don’t know it.”

STORE YOUR PASSWORDS SECURELY Do not store your passwords in your in-box or on your desktop. If malware infects your computer, you’re toast. Mr. Grossman stores his password file on an encrypted USB drive for which he has a long, complex password that he has memorized. He copies and pastes those passwords into accounts so that, in the event an attacker installs keystroke logging software on his computer, they cannot record the keystrokes to his password. Mr. Kocher takes a more old-fashioned approach: He keeps password hints, not the actual passwords, on a scrap of paper in his wallet. “I try to keep my most sensitive information off the Internet completely,” Mr. Kocher said.

A PASSWORD MANAGER? MAYBE Password-protection software lets you store all your usernames and passwords in one place. Some programs will even create strong passwords for you and automatically log you in to sites as long as you provide one master password. LastPass, SplashData and AgileBits offer password management software for Windows, Macs and mobile devices. But consider yourself warned: Mr. Kocher said he did not use the software because even with encryption, it still lived on the computer itself. “If someone steals my computer, I’ve lost my passwords.” Mr. Grossman said he did not trust the software because he didn’t write it. Indeed, at a security conference in Amsterdam earlier this year, hackers demonstrated how easily the cryptography used by many popular mobile password managers could be cracked.

IGNORE SECURITY QUESTIONS There is a limited set of answers to questions like “What is your favorite color?” and most answers to questions like “What middle school did you attend?” can be found on the Internet. Hackers use that information to reset your password and take control of your account. Earlier this year, a hacker claimed he was able to crack into Mitt Romney’s Hotmail and Dropbox accounts using the name of his favorite pet. A better approach would be to enter a password hint that has nothing to do with the question itself. For example, if the security question asks for the name of the hospital in which you were born, your answer might be: “Your favorite song lyric.”

USE DIFFERENT BROWSERS Mr. Grossman makes a point of using different Web browsers for different activities. “Pick one browser for ‘promiscuous’ browsing: online forums, news sites, blogs — anything you don’t consider important,” he said. “When you’re online banking or checking e-mail, fire up a secondary Web browser, then shut it down.” That way, if your browser catches an infection when you accidentally stumble on an X-rated site, your bank account is not necessarily compromised. As for which browser to use for which activities, a study last year by Accuvant Labs of Web browsers — including Mozilla Firefox, Google Chrome and Microsoft Internet Explorer — found that Chrome was the least susceptible to attacks.

SHARE CAUTIOUSLY “You are your e-mail address and your password,” Mr. Kocher emphasized. Whenever possible, he will not register for online accounts using his real e-mail address. Instead he will use “throwaway” e-mail addresses, like those offered by 10minutemail.com. Users register and confirm an online account, which self-destructs 10 minutes later. Mr. Grossman said he often warned people to treat anything they typed or shared online as public record.

“At some point, you will get hacked — it’s only a matter of time,” warned Mr. Grossman. “If that’s unacceptable to you, don’t put it online.”

A good one I've found is to use a word from another language, and eastern european, asian etc... something that can be spelled out on an english keyboard, then using numbers to replace certain letters... but alas, xendrome does also make a good point

The problem is that most people have too many accounts and hard to remember all the passwords. They choose the easy way is to have the same password for pretty much all accounts. The way I have all passwords different for each account, but it's still easy to remember all.

Just create one complex password (mix lower case, upper case, numbers, special character ... etc...). Then you can add the last two letters (or 3 up to you) based on the account. Pick one logic, so you won't forget.

Eg. my password is sAmpL3pa55.

So if I have account with Hotmail, and I pick the first and last letter, so my password now is sAmpL3pa55hl
For newegg, I have sAmpL3pa55ng
... and so on.

This is the easy logic to have different password for each account you own, and you still have the strong passwords.

“That way, if someone puts a gun to my head and demands to know my password, I can honestly say I don’t know it.”
I think that in this situation it would be probably better to give them the password and have the chance to live. You might end up dead anyway, but at least it's a chance.

OR JUST JAM ON YOUR KEYBOARD For sensitive accounts, Mr. Grossman says that instead of a passphrase, he will randomly jam on his keyboard, intermittently hitting the Shift and Alt keys, and copy the result into a text file which he stores on an encrypted, password-protected USB drive. “That way, if someone puts a gun to my head and demands to know my password, I can honestly say I don’t know it.”

That's a great way to get yourself killed; assuming you're ever in a situation like that. Nobody in this day and age has an excuse to make a password based off a word that can be found in a dictionary are something such as "12345." People that do this honestly deserve to be hacked.

This is the most widely repeated advice on passwords, and it's completely wrong. "correct horse battery staple" is about as secure as "xkcd" because - guess what - crackers use this newfangled thing called a dictionary.

The problem is that most people have too many accounts and hard to remember all the passwords. They choose the easy way is to have the same password for pretty much all accounts. The way I have all passwords different for each account, but it's still easy to remember all.

Just create one complex password (mix lower case, upper case, numbers, special character ... etc...). Then you can add the last two letters (or 3 up to you) based on the account. Pick one logic, so you won't forget.

Eg. my password is sAmpL3pa55.

So if I have account with Hotmail, and I pick the first and last letter, so my password now is sAmpL3pa55hlFor newegg, I have sAmpL3pa55ng... and so on.

This is the easy logic to have different password for each account you own, and you still have the strong passwords.

the problem with that is that attackers actually take this into account as well, and if you look at the recent high profile cracks a lot of users do append the site's name (or a derivative thereof) onto a "general" password and it's no better because the pattern is trivial to figure out. now, part of it could be mitigated if everyone actually used sane password storage practices, but that seems to be quite a rarity.

Not really. They still have to figure out the complex password that you create. My logic is the easy way to have diff passwords for each account. I don't recommend people to create a simple one and attach the site name after like 123newegg.

the problem with that is that attackers actually take this into account as well, and if you look at the recent high profile cracks a lot of users do append the site's name (or a derivative thereof) onto a "general" password and it's no better because the pattern is trivial to figure out. now, part of it could be mitigated if everyone actually used sane password storage practices, but that seems to be quite a rarity.

I think people are being a little paranoid here. There are over 6 billion people in the world. There is security in just the shear number of people who use computers. No one cares about an individual person unless your really important. As long as you make your passwords reasonably hard to guess there should be nothing to worry about.

I think people are being a little paranoid here. There are over 6 billion people in the world. There is security in just the shear number of people who use computers. No one cares about an individual person unless your really important. As long as you make your passwords reasonably hard to guess there should be nothing to worry about.

sure it's unlikely that someone would individually target you, but when a huge corp's databases leak and you have a weak/non-unique password, you bet the attackers will take advantage of that. they won't care who you are, but they will care about your bank account.

This is the most widely repeated advice on passwords, and it's completely wrong. "correct horse battery staple" is about as secure as "xkcd" because - guess what - crackers use this newfangled thing called a dictionary.

The math is easy. Can you explain why he's wrong?

Assume I use diceware and assume I give you the dictionary that I used to generate passwords (7776 words). Assume I tell you my password is at most 6 words long. Calculate the key space taking into account what you know:7776^6 = 2.2E23

Compare to a 12 character "random, but easily typed character" password: a-zA-Z0-9 and all of the typical symbols: !@#$[];',. etc. Let's just call it 80 characters.

Sigma(n=1,12) 80^n = 7.0E22

So 6 random words form a dictionary that the attacker knows is an order of magnitude larger search space than 12 random characters.

My comparison assumes the 'best case' for random passwords: brute force search of the entire key space. I also assumed the worst case for diceware passwords (the attacker knows exactly which words are valid in my password, that I used only lower case letters to type them, that it's exactly 6 words long - not 4, not 7) and still diceware is better than 12 random digits by a large amount. Bumping it to 16 random characters vs 6 random words does not erase the advantage diceware ware if you allow me a minor change like "maybe I don't use spaces" or "maybe I capitalize some words".

The XKCD comic restricted the comparison space - he assumed the attacker knew the strategies in both cases and tuned his algorithm accordingly. He was also considering the common advice to start with a random word and modify it some way - that ends up in a much smaller amount of entropy than a purely random password. I tried to correct for these short comings in my example just to show that his advice still holds.

In his example and looking at his concerns (how hard is it to generate and memorize a strong password) things favour the random words approach even more. If the attacker doesn't have information about what passwords should look like and they resort to brute forcing the entire a-z0-9+symbols search space then the longer password will be stronger - that tends to favour diceware for the reason he highlighted.

Note that the advantage calculated here is much higher than in my example because here he's assuming the attacker only knows that he has to search a-z+spaces, not that he can restrict his key space to combinations of a specific list of 7776 words.

Using keychain to generate a 12 character random password:

Password: zXn6(iy77&:r

Search space: 5.23E23

Massive Cracking Array Scenario: 1.74 centuries

Assuming compute speed doubles ever year and that 1.74 centuries starts looking pretty damn small. If you're sending 'sexy pictures' with a 12 character password to a mistress now - they'll be pretty easy to crack (1 month) in 10 years when your wife is looking to divorce for a history of cheating. What are the odds those files end up laying about on a gmail account waiting for a sopena?In order to reach the same "durability" as I had with diceware I had to use a 30 character random character password. That seems to demonstrate exactly the point Randal was making: a few random words is just as strong and infinitely easier to memorize than random passwords or using a common strategy of mangling an uncommon word in predictable ways.